Skip to:
Content
Pages
Categories
Search
Top
Bottom

Allow all characters in a PHP “explode” function

  • Avatar of Uncle Nerdicus
    Uncle Nerdicus
    Participant

    @nerdicus99

    I have a piece of PHP code that gets a list of allowed extensions from the WordPress Database and only allows files uploaded that are those file extensions. What I would like to do is make the code allow ALL extensions but NOT allow only a couple of file extensions (executables like exe, shells, binaries, etc.)

    Here is the code:
    $allwd_ext = get_option( ‘ma_allowedExtension’ );
    $allowedExts = explode(“,”,$allwd_ext);
    $extension = end(explode(“.”, $_FILES[$f_u]["name"]))`;

    Any ideas appritiated :)

Viewing 5 replies - 1 through 5 (of 5 total)
  • Avatar of @modemlooper
    @modemlooper
    Moderator

    @modemlooper

    shouldn’t you check type at the upload point? This is an example not tested

    $array = array( one, two, three );
    $type = $_FILES['upload_file']['type'];

    if ( in_array( $type, $array ) ) return false;

    Avatar of @modemlooper
    @modemlooper
    Moderator

    @modemlooper

    or use pathinfo() to get extension

    Avatar of Uncle Nerdicus
    Uncle Nerdicus
    Participant

    @nerdicus99

    @modemlooper Thanks for your reply :) I believe what you suggested in the first place is possible, I just posted the entire PHP file at http://pastebin.com/WnpZsY1t – It’s the “actions.php” file from the “buddy press-messages-attachment” plugin. The code excerpt I posted was lines 47-50. Where would I embed the code you suggest to make this work out?

    Avatar of @modemlooper
    @modemlooper
    Moderator

    @modemlooper

    In that plugin does it have an admin option you enter for specific extensions? Also, it’s a bit dangerous to allow everything accept a few file types. Could open up a security flaw.

    Avatar of Uncle Nerdicus
    Uncle Nerdicus
    Participant

    @nerdicus99

    The plugin has this setting, yes. (Screenshot at http://yn.yazzietech.com/data/Message_Attachment_Settings.jpg ) That is true, I am running on a Redhat Linux hosting account, so I figure block the scripts that could be executed on Unix and that would cover it. I suppose you could also change a file’s permission to 644 on Upload? What is annoying is this plugin prints the allowed types, resulting in nonsense like this: http://yn.yazzietech.com/data/BuddyPress_Messages.jpg

Viewing 5 replies - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.